PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9018 themewant CVE debrief

CVE-2026-9018 affects the Easy Elements for Elementor – Addons & Website Templates WordPress plugin through version 1.4.5. The supplied vulnerability description says the plugin’s public registration flow can write attacker-controlled custom meta into a newly created user account, which can overwrite sensitive fields such as wp_capabilities and turn the account into an administrator. The exposure depends on user registration being enabled and a page exposing the Login/Register widget, which publishes the nonce needed for the AJAX request. NVD lists the issue as High severity (CVSS 8.8). From a defensive standpoint, this is a site-takeover risk because it targets the account creation path rather than a logged-in admin workflow.

Vendor
themewant
Product
Easy Elements for Elementor – Addons & Website Templates
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-22
Original CVE updated
2026-05-22
Advisory published
2026-05-22
Advisory updated
2026-05-22

Who should care

WordPress site administrators, managed hosting providers, plugin security teams, and defenders responsible for sites that enable public registration or use the Easy Elements Login/Register widget.

Technical summary

The NVD record and referenced Wordfence analysis describe a flaw in easyel_handle_register() behind the wp_ajax_nopriv_eel_register AJAX handler. The handler iterates the attacker-controlled custom_meta POST array and writes each key/value pair into the new user record via update_user_meta() without a whitelist or blocklist. Because wp_insert_user() has already assigned a benign role, overwriting wp_capabilities afterward can grant administrator privileges. The supplied references also point to the plugin’s enqueue and login/register widget code, which is relevant because the widget publishes the easy_elements_nonce in page content. The source corpus also contains a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which does not perfectly align with the narrative’s claim of unauthenticated exploitation.

Defensive priority

High. If this plugin is installed on a site that allows registration or exposes the Login/Register widget publicly, treat it as a potential admin takeover path and remediate quickly.

Recommended defensive actions

  • Update the Easy Elements for Elementor plugin as soon as a vendor-patched release is available; if no patched release is available, remove or disable the plugin on exposed sites.
  • Disable WordPress user registration unless it is explicitly required for business use.
  • Remove the Login/Register widget from public pages or otherwise prevent unauthenticated visitors from reaching the registration flow.
  • Review the registration implementation for a strict allowlist of user meta keys and ensure sensitive keys such as wp_capabilities cannot be set by request input.
  • Audit newly created accounts and user meta for unexpected administrator roles or suspicious wp_capabilities values.
  • Revoke and rotate credentials for any accounts created through the vulnerable registration path and review recent authentication and admin activity.

Evidence notes

The debrief is based only on the supplied NVD record, its WordPress plugin source references, and the cited Wordfence advisory. The most relevant corpus items are the plugin source links for Enqueue.php and widgets/login-register/class.login-register.php, which correspond to the nonce publication and registration handler described in the record.

Official resources

NVD published and last modified the record at 2026-05-22T05:16:28.067Z. The supplied corpus does not include a separate vendor fix advisory or patched version number.